Open malware-kitten opened 8 years ago
brianwarehime
commented
8 years ago That's also a really good idea! Plus, whenever we roll out a search feature, we can easily search on active indicators or whatever other criteria we need.
Thanks for that suggestion, I'll try to get that added shortly, on vacation right now, so time is limited.
krmaxwell
commented
8 years ago Workflow is really important and worth thinking carefully about. Opinionated software is good, but those opinions should be well-founded. I like the above, but how would it apply to workflow for non-indicator analysis (e.g. a threat actor)?
sroberts
commented
8 years ago @krmaxwell Actors are the exact sort of place I think about things like "historical". I'm sort of against a couple of these examples: custom would be hard, deprecated I agree is wildly specific, but active, inactive, historical all seem like no brainers. New I think its better off handled as either a tag or based on date added, which (along with other timestamps) are things I'd like to add to the data model
brianwarehime
commented
8 years ago I agree with those comments as well. I definitely think we can add a 'new' tag based on how long it's been in. But I think having an active or inactive status would be useful.
But yea, some of those statuses wouldn't fit for everything.
Another feature that would be nice is adding a status to an indicator so that analyst would be able to track this through a workflow.
A small use case of this would be the following:
This would also assist in having indicators that you may not want to deploy to production tools. For example: If you have an export script pulling all indicators that are not New,Deprecated, or Historical